Hi, I’ve created a custom action that runs as part of the Login flow and as part of the
onExecutePostLogin, I’m forming a custom URL and calling
api.redirect.sendUserTo. The login experience works as I expect but I’m not seeing a “Success Login” log entry like I do with the Logout/Signup for this same Application, or Logins for another one of my Applications.
The redirect points to an endpoint that I don’t own and so is a bit of a black box in that I can’t send users back to the Auth0
/continue endpoint and so don’t handle
Should I be concerned about this seeing as I don’t require additional user interaction beyond the standard login form?
Welcome to the Auth0 Community!
The user must continue the flow to complete a successful login. Redirect actions are meant to redirect and return to the actions flow.
If you simply need to redirect after the login is complete, you should use a different strategy. i.e.
Hi @dan.woda, thanks for the reply. I’m new to this and slightly drowning in some of the concepts and complexity so any help is very much appreciated!
I was originally using a Rule as part of the login flow setting
context.redirect to my Url and then returning the callback function with the
context as an argument. This worked well but my understanding is Actions are preferable to Rules going forward so I rewrote my Rule as an Action. I guess my Rule was also resulting in an incomplete login process.
For background, I’m trying to implement Shopify’s Multipass login and as per the docs, I need to redirect users to
https://SHOPIFY_DOMAIN/account/login/TOKEN (where TOKEN is what I’m successfully generating in my Action) after Auth0 authentication has taken place.
Weirdly the result of both the Rule and the Action achieve what I’m hoping for in that I’m logged into my application (app A), the redirect takes place and the authentication session is shared across both app A and another application, app B. Logout also works as expected. My assumption is that despite this, the issue must be addressed as without returning to the
/continue endpoint, no further Actions in the Flow will run.
I also noticed the same technique I’m using is used for the downtime page example here, but I assume returning the user to
/continue is just omitted for brevity?
Thanks again for any help.
It appears this example is not logging the user in but is redirecting them to a generic outage page without authentication.
The important point is that an Access Token/ID Token will not be issued if Actions aren’t completed.
I’m not previously familiar with multipass, but it appears you should be sending your users there from your application, not from Actions/Rules. Are you following a guide that is telling you to do this?
Thanks for the reply Dan.
I’m following this technique. I originally created a Rule very similar to the one in the article (which was working well, but only on the face of it!) and have now migrated my Rule to an Action instead.
And that downtime example seems to imply to me that the redirect happens as part of a successful login flow?
It uses the
api.redirect.sendUserTo() method to redirect the user to the given URL after they log in. Keep in mind that users will see the downtime page only after logging in successfully.
In this example, the user never finishes the authentication pipeline and the application is never issued a token from the auth server…
I can see how this is misleading. The user’s credentials are verified, but similarly does not complete the entire pipeline, and is never issued a token. Saying the user is logged in is somewhat of a semantic issue but should be revisited. I’ll notify the author.
As for what you should do, it seems to me that you should be completing the transaction with Auth0. After which your application will be issued a set of tokens, and your application should handle the token creation and request to shopify. Does that make sense?
I think I understand now and see what the “correct” method should be. Roughly:
- Generate the Multipass token value and add it to the ID token as a custom claim in my Action
- Allow the callback to the authorized
redirect_uri as normal
- Decode the ID token and extract the Multipass token value as an intermediary step on my side
- Redirect to the Shopify Url that includes the Multipass token
Hopefully that achieves the same effect but allows the login transaction to actually complete!
Thanks again your help with this.
I think that should work! I can’t speak directly to the Shopify end of the flow, but that would appear to achieve what you are after.
P.S. I spoke to the author of our blog and they are going to clarify that redirect must be completed to finish the transaction.
This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.